Some tweaks

Dockerfile

@@ -7,11 +7,14 @@ ENV HOME=/root
 RUN apt-get -y update && apt-get -y upgrade
 RUN apt-get -y install \
   wget git cmake make g++ bison flex cppcheck cpputest autoconf automake libtool curl gdb vim build-essential luajit hwloc openssl pkg-config openssh-server \
-  strace perl libio-socket-ssl-perl libcrypt-ssleay-perl ca-certificates libwww-perl python3-pip python3-pcapy python3-dpkt supervisor net-tools iputils-ping python3 \
+  strace perl libio-socket-ssl-perl libcrypt-ssleay-perl ca-certificates libwww-perl supervisor net-tools iputils-ping iproute2 ethtool \
   libdumbnet-dev libdnet-dev libpcap-dev libtirpc-dev libmnl-dev libunwind-dev libpcre3-dev zlib1g-dev libnet1-dev liblzma-dev \
   libssl-dev libhwloc-dev libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev autotools-dev libluajit-5.1-dev libfl-dev \
   libpcre3 libpcre3-dbg libyaml-0-2 libyaml-dev zlib1g libcap-ng-dev libcap-ng0 libmagic-dev libnuma-dev
 
+# Some network tweaks
+RUN ip add sh eth0
+
 # Build libdaq
 WORKDIR $HOME
 RUN git clone https://github.com/snort3/libdaq.git
@@ -44,8 +47,8 @@ RUN mkdir ${PREFIX_DIR}/etc/rules && \
   touch ${PREFIX_DIR}/etc/rules/local.rules && \
   touch ${PREFIX_DIR}/etc/lists/default.blocklist && \
   mkdir /var/log/snort
-COPY snort3-community-rules.tar ${HOME}/snort3-community-rules.tar
-RUN tar -xvzf snort3-community-rules.tar && cd snort3-community-rules && cp * ${PREFIX_DIR}/etc/rules/
+COPY snort3-community-rules.tar.gz ${HOME}/snort3-community-rules.tar.gz
+RUN tar -xvzf snort3-community-rules.tar.gz && cd snort3-community-rules && mkdir ${PREFIX_DIR}/etc/rules/snort3-community-rules/ && cp * ${PREFIX_DIR}/etc/rules/snort3-community-rules/
 RUN snort --version
 
 # Install OpenAppID
@@ -53,16 +56,6 @@ WORKDIR $HOME
 COPY snort-openappid.tar.gz ${HOME}/OpenAppId-23020.tar.gz
 RUN tar -xzvf OpenAppId-23020.tar.gz && cp -R odp /usr/local/lib/
 
-RUN pip3 install pygeoip dnif idstools
-#RUN mkdir /usr/local/lookups && cd /usr/local/lookups && \
-#    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz && \
-#    wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz && \
-#    gunzip GeoLiteCity.dat.gz GeoIPASNum.dat.gz
-
-# Install snort-sgent
-WORKDIR /usr/local/src
-RUN wget https://github.com/dnif/snort-agent/archive/0.8.tar.gz && tar -zxvf 0.8.tar.gz && mv snort-agent-* snort-agent
-
 # Set up SSH
 RUN mkdir /var/run/sshd
 RUN echo 'root:screencast' | chpasswd
@@ -74,8 +67,5 @@ EXPOSE 22
 
 COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 COPY entrypoint.sh ${HOME}/entrypoint.sh
-#CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
 
-#ENTRYPOINT ["snort", "-c", "/usr/local/etc/snort/snort.lua", "-R", "/usr/local/etc/rules/snort3-community.rules", "-i", "wl01", "-s", "65535", "-k", "none"]
-#ENTRYPOINT ["tail", "-f", "/dev/null"]
 ENTRYPOINT ["/bin/bash", "/root/entrypoint.sh"]

docker-compose.yml

@@ -2,23 +2,26 @@ name: snort
 services:
     snort:
         restart: always
+        cap_add:
+            - NET_ADMIN
         build:
             dockerfile: Dockerfile
             context: ./
         volumes:
             - ./snort-conf:/usr/local/etc/snort
             - ./snort-rules.txt:/usr/local/etc/rules/local.rules
+            - ./logs:/var/log/snort
         ports:
             - 22:22
         networks:
             snort_lan:
-    ping:
-        image: willfarrell/ping
-        environment:
-            HOSTNAME: snort
-            TIMEOUT: 10
-        networks:
-            snort_lan:
+#    ping:
+#        image: willfarrell/ping
+#        environment:
+#            HOSTNAME: snort
+#            TIMEOUT: 10
+#        networks:
+#            snort_lan:
 networks:
     snort_lan:
         driver: bridge

entrypoint.sh

@@ -1 +1,6 @@
+ip route del default
+#ip route add default via 192.168.88.108
+ip route add default dev eth0
+
+
 /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

snort-agent.conf

@@ -1,12 +0,0 @@
-[program:snort-agent]
-command=/usr/bin/python -u /usr/local/src/snort-agent/snort-agent.py
-process_name=%(program_name)s
-autostart=true
-autorestart=true
-redirect_stderr=true
-stdout_logfile=/var/log/snort-agent.log
-stderr_logfile=/var/log/snort-agent.log
-stderr_events_enabled=true
-directory=/tmp/
-stopasgroup=true
-stdout_logfile_maxbytes=10MB

snort-conf/snort.lua

@@ -21,7 +21,7 @@
 
 -- HOME_NET and EXTERNAL_NET must be set now
 -- setup the network addresses you are protecting
-HOME_NET = '172.20.0.0/24'
+HOME_NET = '192.168.88.0/24'
 
 -- set up the external network addresses.
 -- (leave as "any" in most situations)
@@ -191,8 +191,11 @@ ips =
     -- use include for rules files; be sure to set your path
     -- note that rules files can include other rules files
     -- (see also related path vars at the top of snort_defaults.lua)
-
-    variables = default_variables
+    variables = default_variables,
+    rules = [[ 
+    include $RULE_PATH/snort3-community-rules/snort3-community.rules
+    include $RULE_PATH/local.rules
+    ]]
 }
 
 -- use these to configure additional rule actions

supervisord.conf

@@ -11,8 +11,7 @@ command=/usr/sbin/sshd -D
 #autorestart=true
 
 [program:snort]
-#command=snort -i eth0s -d -c /usr/local/etc/snort/snort.lua -l /var/log/snort
-command=snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i eth0 -s 65535 -k none -l /var/log/snort
+command=snort -c /usr/local/etc/snort/snort.lua -i eth0 -s 65535 -k none -l /var/log/snort
 stdout_logfile=/var/log/snort/supervisor.log
 stderr_logfile=/var/log/snort/supervisor.log
 autorestart=true